When you collect and store information in a logical manner, you have a database. In modern uses of the word, a database often refers to the database management system (DBMS), which is a computer program that manages digital data. You use a database management system to interact with your stored data, so it's critical to implement security features that protect the DBMS and any data involved.
This article provides an overview of database management systems with details about database configuration risks when the service runs on an open port.
What is a Database Management System (DBMS)?
Your database management system governs how you access and manipulate stored data. There are many different types of database management systems, each with unique features that serve specific purposes. Relational databases, often built with SQL, and non-relational, noSQL databases are two of the more commonly used types.
Relational models store information in relations, which are also known as tables. A set of rows called tuples stores information with common attributes (the columns). The columns have specified data types that govern what kind of data can be stored in each field.
Relational databases include a key that defines the entity. A primary key is a designated column with a unique value, such as an employee's identification number. A foreign key creates a relationship between two tables by inserting a copy of the primary key as an additional column in a second table. There are three common relational models:
- One-to-one: A row in one table relates to only one row in another table (one-directionally).
- One-to-many: A row in one table relates to multiple rows in another table (one-directionally).
- Many-to-many: A row in one table relates to multiple rows in another table, and vice versa (multi-directionally).
Many relational database management systems use SQL (structured query language) to manage data and queries to the database. There are a variety of open-source and proprietary SQL softwares available, such as MySQL, PostgreSQL, MariaDB, Microsoft SQL Server, SQLite, IBM Db2, and Oracle Database. You can compare RDBMS options, such as PostgreSQL versus MySQL, to determine which features are most beneficial to your organizational needs.
To store data in an unstructured way, you might use a non-relational database (sometimes called a NoSQL database since it does not use SQL). Non-relational databases offer different features, such as the associate arrays in a key-value database or the metadata and API retrieval tooling for a document store or document-oriented database. MongoDB is an example of a non-relational document store that can be compared to a relational counterpart like MySQL.
Your choice of database management system will vary depending on your needs, but whatever you choose will be an essential element in your application stack. When you determine your tech stack, ensure that you have taken the necessary cybersecurity measures to ensure that your database remains protected.
Database Security Threats
Consider any potential cybersecurity threats when you choose a database and database management system as any new software increases your external attack surface.
Take proactive measures to protect your database by understanding these common database security threats:
- Database injection attacks, including SQL injection and NoSQL injection
- Access to sensitive information, like customer PII and financial data
- Data exfiltration and manipulation, resulting in data breaches
- Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks that push high workloads onto your system
- Exploitation due to misconfiguration issues
- Packet sniffing, leading to credential or token theft
- Database backup exposure
- Database access control and permissions issues, leading to compromised user access and unauthorized privilege escalation for database users
- Known and unknown database vulnerabilities
- Malware implantation on your system
- Human error, leading to phishing or other social engineering attacks that lead to compromised user accounts
- Insider threats
A multi-layered security solution ensures that your database and any sensitive data in it remain protected from cybercriminals.
Is Your Database Exposed?
You can deploy your DBMS on the same server as the rest of your stack or you can set up a remote server for the DBMS, connecting to it through a dedicated port. The latter option enables you to scale your database separately from the application, but it can increase your attack surface with open ports that provide potential entry points for attackers and data transfer that could be intercepted between servers.
To evaluate whether your database is exposed, you can review your configuration settings and run a scan to identify which of your services are exposed. There are a variety of monitoring tools that you can use, or you can let us run the scans for you with UpGuard BreachSight.
UpGuard scans for a variety of exposed databases and open ports, including the following database ports:
- 'Apache CouchDB' port open
- 'Apache Kafka' port open
- 'CassandraDB' port open
- 'DB2' port open
- 'ElasticSearch' port open
- 'ETCD' port open
- 'HBaseDB' port open
- 'memcached' port open
- 'MongoDB' port open
- 'MySQL' port open
- 'Oracle TNS Listener' port open
- 'PostgreSQL' port open
- 'Redis' port open
- 'Riak' port open
- 'SQLServer Monitor' port open
- 'SQLServer' port open
- 'VoldemortDB' port open
Apache CouchDB is a NoSQL document-oriented database that uses an HTTP API to retrieve and synchronize information across many endpoints. CouchDB installations use port [.rt-script]6984[.rt-script] by default. While the port number can be changed, the service remains identifiable.
Apache Kafka is an open-source distributed event store and stream-processing platform that offers high throughput and low latency. Kafka is used for real-time streaming applications, so care must be taken to secure the application if it is internet-facing. Kafka runs on port [.rt-script]9092[.rt-script] by default.
Apache Cassandra is an open-source and distributed NoSQL database management system that deploys multiple nodes in a cluster for high availability and fault tolerance. Cassandra usuals ports [.rt-script]7000[.rt-script], [.rt-script]9042[.rt-script], and [.rt-script]7199[.rt-script]. An exposed Cassandra port creates the potential for malicious actors to retrieve sensitive data, so access to this DBMS should be through internal networks only. You can set up your internal firewall to allow communications by specifying each node's IP address for data transfer. You can also specify specific network ports.
ElasticSearch is a search engine that is sometimes uses as a data storage system because its features align to common use cases for DBMSes. Default configurations run on port [.rt-script]9200[.rt-script] for API requests and port [.rt-script]9300[.rt-script] for node communications.
etcd, which refers to the "distributed [.rt-script]etc[.rt-script] directory," is a distributed key-value data store used for system configuration and service discovery among distributed systems. It is commonly used for fault-tolerant Kubernetes clusters. The default ports are [.rt-script]2379[.rt-script] for client requests and [.rt-script]2380[.rt-script] for peer communication.
Apache HBase is an open-source, non-relational database built in Java, and it is part of the Apache Hadoop collection. HBase offers a method to host and query big data. HBase default ports include [.rt-script]6000[.rt-script], [.rt-script]60010[.rt-script], and [.rt-script]60020[.rt-script]. Because HBase databases store a large amount of data, access control and VPN authentication can protect the database.
Not quite a database, memcached is a memory-caching system that uses a key-value pairing. It runs on port [.rt-script]11211[.rt-script] by default but may also use ports [.rt-script]11212[.rt-script] and [.rt-script]11213[.rt-script].
MongoDB is a NoSQL document-oriented database that runs on port [.rt-script]27017[.rt-script] by default. Additional configuration options may use ports [.rt-script]27018[.rt-script], [.rt-script]27019[.rt-script], and [.rt-script]27020[.rt-script]. These default ports can be easily identified, so protection measures include limiting traffic to internal networks, closing unused ports, changing the default port, and maintaining regular updates if the port is public-facing.
MySQL databases are an open-source option often deployed as part of the LAMP stack (pairing the Linux operating system with Apache, MySQL, and PHP). MySQL uses port [.rt-script]3306[.rt-script] by default and should not be open to the internet. In addition to being deployed with the LAMP stack, MySQL is also deployed with the LEMP stack, which uses Nginx as the web server in place of Apache.
Oracle offers a proprietary database management system that includes the Oracle TNS Listener to manage communications through the Transparent Network Substrate (TNS) protocol. The listener generally receives connection requests on port [.rt-script]1521[.rt-script], after which is will establish a connection. You can follow Oracle's hardening guidance to protect the listener. You can also limit access over the TNS Listener port to internal networks or authorized IP addresses.
PostgreSQL is an open-source, SQL-compatible relational database that runs on port [.rt-script]5432[.rt-script] by default. Postgres is widely used due to its object-relational design, so it is important to protect the service from potential attackers.
Redis is a NoSqL, open-source, in-memory data store. Redis Cluster offers a multi-node sharding that requires a TCP port (typically [.rt-script]6379[.rt-script]) and a cluster bus port (typically [.rt-script]16379[.rt-script]). To ensure high availability, you can set up Redis Sentinel, which generally listens on port [.rt-script]26379[.rt-script].
Riak is a distributed NoSQL key-value data store that uses a REST API for basic functions. You can set your Riak nodes to communicate between the cluster. As with other databases, the ports should be accessed through internal networks and with the requisite authentication checks.
Microsoft SQL Server offers a relational database management system built with SQL and used with Microsoft Transact-SQL (T-SQL). SQL Server Monitor provides real-time monitoring for active SQL Server instances. SQL Server uses port [.rt-script]1433[.rt-script] by default, whereas SQL Server Monitor typically uses ports [.rt-script]1433[.rt-script] or [.rt-script]1434[.rt-script].
Voldemort is a distributed key-value data store that was maintained by LinkedIn until 2018.
How UpGuard Can Help
Continuous monitoring of your external attack surface can help you take proactive measures against any potential known and unknown vulnerabilities, including services running on open ports. UpGuard's non-intrusive scanning detects whether your database service is accessible to the public internet, and you will be notified with specific findings for the database in question. Current UpGuard users can log in and access their Risk Profile in BreachSight to assess whether any of the database findings referenced in this article are impacting their organization.
For more information about other services UpGuard identifies through port scanning, see our support article on What services does UpGuard identify with port scanning.
Securing Your Database Management System
To keep your database protected, integrate security measures in the configuration setup. There are many resources available about setting security policies for specific databases and database management systems, including our tips for securing SQL and securing PostgreSQL databases. Ensure that you have set up data encryption policies.
Where possible, databases should be restricted to internal traffic and VPNs to prevent public visibility. When the database is only accessed through restricted methods, it cannot be identified by internet scans. If the database service is no longer in use, the port should be closed.
If the database server must be publicly accessible, a database administrator must maintain consistent updates to protect against known vulnerabilities and implement patches as-needed when new issues are identified. Security teams should run regular database auditing on anything with public access to identify security risks that might be exploited by hackers.
For services that support your database system, ensure that access is limited to internal networks or otherwise restricted to authorized IP addresses.
Once your system is in place and you have accounted for all necessary security controls, you can evaluate your exposure to cyberattacks by auditing your security measures and performing penetration testing to simulate security breaches and assess your data security.
Additional measures may be necessary to ensure physical security for any on-premises servers. If you deploy web applications with a cloud database, you can review your hosting provider's data protection policies to confirm alignment on security best practices.